Support

A cookie is a piece of data stored by your browser or device that helps websites like this one recognize return visitors. We use cookies to give you the best experience on BNA.com. Some cookies are also necessary for the technical operation of our website. If you continue browsing, you agree to this site’s use of cookies.

Events

Bloomberg Next marketing services allow clients to elevate their brands and extend their reach through our established and trusted expertise, enhanced with engaging event production, appealing design, and compelling messaging.

Aug. 30 — A tight 72-hour window to report data breaches in the European Union is of concern
to companies due to uncertainties over how the short new time frame will work in practice,
privacy professionals told Bloomberg BNA.

The
EU General Data Protection Regulation's 72-hour data breach notification requirement is set to take effect in May 2018. But
the extent of the burden it imposes will largely be determined by how the GDPR will
be interpreted and enforced, they said.

Also of importance will be what specific information various privacy regulators in
the EU bloc will require companies to report, they said.

The three-day window “will be extremely difficult to meet,” Wim Nauwelaerts, data
protection partner at Hunton & Williams LLP in Brussels, told Bloomberg BNA. “It is
important to first find out exactly what happened, and this fact-finding often takes
more than 72 hours.”

Michael Bruemmer, vice president of Experian PLC, told Bloomberg BNA that 72 hours
may be reasonable, because some U.S. states have similar requirements now. But it
is reasonable only so long as EU regulators don't expect a full accounting of the
parameters of the breach within that window, he said.

Cédric Burton, privacy and data protection of counsel at Wilson Sonsini Goodrich &
Rosati in Brussels, told Bloomberg BNA that if privacy regulators expect breach notice
within 72 hours in most situations, it will force companies to prioritize giving notice
“while they could better allocate resources, for example, to address the breach and
mitigate the risk for individuals.”

The failure to comply with the notice requirement could result in a fine of 10 million
euros ($11.29 million) or 2 percent of a company's worldwide revenue, whichever is
higher.

EU negotiators Dec. 15, 2015 concluded nearly four years of talks on final text of
the GDPR (14 PVLR 2289, 12/21/15). The GDPR replaces the EU's now over 20-year-old EU Data Protection Directive (95/46/EC).

Although U.S. jurisdictions have had data breach notification laws for years—California
passed the first in 2003—European companies have never been subject to a mandatory
breach notification law that applied to all companies before the GDPR, although the
EU has had sector specific breach notice laws. Telecommunications companies are subject
to breach notice requirements under 2009 amendments to the EU e-Privacy Directive.
The GDPR would be the first EU breach notice law applicable to companies in all sectors.

“The precursor to GDPR is really the U.S. with the advent of the California law and
other state laws, and then the federal laws with the Health Insurance Portability
and Accountability Act of 1996 and the Health Information Technology for Economic
and Clinical Health Act,” Bruemmer said.

Compliance with the GDPR notice requirement could be even more difficult for companies
that have to comply with a similar rule in the e-Privacy Directive, mainly for telecommunications
and internet service providers. These companies “will need to deal with multiple reporting
requirements in a very tight time frame,”
Nauwelaerts said.

GDPR Requirements Still Unclear

Article 33 of the GDPR will require data controllers to report personal data breaches
to the appropriate privacy regulator “without undue delay and, where feasible, not
later that 72 hours after having become aware” of the breach, unless the breach “is
unlikely to result in a risk to the rights and freedoms of natural persons.”

When a data processor discovers a breach, it must notify the data controller “without
undue delay.”

“It will be problematic even if there is a bit of flexibility built into the GDPR,”
Burton said.

The law's qualifications for notifying privacy regulators “without undue delay,” and
within 72 hours “where feasible,” provide some flexibility, but the extent of the
flexibility will depend on how DPAs decide to interpret the law.

“It remains to be seen what exactly regulators expect to be disclosed within the period,”
Bruemmer said. Data controllers may not have much of a problem with 72 hour notification
if they only need to alert DPAs about an incident and letting them know that an investigation
is underway instead of a full accounting of the breach, he said.

Articles 33 requires that the breach notification include:

the nature of the breach, “including where possible, the categories and approximate
number of data subjects concerned” and personal data records concerned;

the likely consequences of the breach; and

the measures taken and proposed to be taken to address the breach, including measures
to mitigate adverse effects.

Determining the nature and likely consequences of the breach could be a very straightforward
exercise, if it's a lost spreadsheet or laptop.

“On the other hand, if an incident is the result of hacking, which is increasingly
becoming the source of company data breaches, then the information outlines above
can be very difficult to obtain early in the investigation,” Bruemmer said.

Lokke Moerel, senior of counsel in the Privacy and Data Security practice of Morrison
&
Foerster LLP in Berlin, said that determining mitigation measures and identifying
what type of follow-up action to take is a time-consuming project. “The reporting
needs to be done in a short time which means all those actions need to be decided
in this period, and a lot of companies right now are not equipped,” she said.

Burton said EU officials would have been wiser to require notification “once the breach
is addressed and the risks mitigated.”

Some Regulators May Not Be Prepared

For a preview of the GDPR's breach notice requirement, look to the Dutch experience.

A new breach notification law in the Netherlands took effect Jan. 1. The law requires
that data controllers notify the Dutch privacy office of a personal data breach when
there is a considerable likelihood of serious adverse effects of data subjects, a
higher threshold than the GDPR's requirement.

According to the Dutch DPA, it received more than 1,000 breach notifications in the
first 100 days of the law taking
effect.

The low breach notice threshold in the GDPR will trigger a large number of notices
that will overwhelm “even the most prepared” privacy regulators, Burton said.

Moerel said that the Dutch privacy office didn't hire extra personnel to handle the
new notification requirement, and relied on a software tool to determine whether a
follow-up action was required. According to the office's own report, follow-up questions
were asked in only about 5 percent of the cases, and “we haven't seen a real finding
or enforcement based on the notifications yet.”
The privacy office wasn't able to review all of the notification and risked turning
the law into nothing but a “paper tiger”
administrative requirement, she said.

Many EU countries have never been legally required to notify authorities of a data
breach, so there will be an especially steep learning curve for inexperienced privacy
regulators.

Privacy offices in countries with limited experience in breach notification “may
find it challenging to adequately manage the potential high volume of data and to
support potential victims,” Adam Palmer, director of international government affairs
for Milpitas, Calif.-headquartered data security company FireEye Inc., said.

The number of notifications to privacy regulators will also vary country to country.
Regulators in countries that serve as the headquarters for multiple large companies
will definitely need to be prepared to receive the most breach notices, Moerel said.

Nauwelaerts said the volume of notifications will largely depend on how liberally
regulators interpret the reporting exemptions tied to breaches unlikely to risk the
rights and freedoms of natural persons.

Need for Guidance

One of the unintended consequences to the short notification period is that data controllers
will be reporting breaches that, after further forensic analysis, turn out not to
be a breach, Bruemmer said.

“The threshold should be higher,”
Burton said.

The Article 29 Working Party of EU privacy officials from the 28 EU countries should
issue guidance to ensure that the breach notice mandate doesn't overwhelm privacy
offices. Moerel said that although the Dutch privacy office issued guidance before
its national law went into effect, companies felt that it was insufficient.

EU-wide rather than country-by-country guidance would be helpful because so many data
breaches involve issues across borders, Moerel said.

Nauwelaerts said that the European Data Protection Board, which will replace the Art.
29 Party, is also expected to issue guidance to clarify the circumstances in which
breach notification is required.

Companies Need to Prepare

There are a number of steps companies can take to prepare for the GDPR to enter into
force in May 2018.

The heavy 2 percent of worldwide revenue that the GDPR prescribes for violations “not
only gets the CEO's attention, but the board of director's attention,” Bruemmer said.

They also emphasized that companies need to have data breach response plans in place,
including breach notification procedures in order to comply with the three-day window.

“When there is a breach, there is little place for improvisation,” Burton said. “You
need to act quickly and take the right decisions on the spot.”

“It's really worthwhile to do a tabletop exercise in order to think through how to
react in the event of a data breach,” Moerel said.

Bruemmer said that since passage of the GDPR, the level of activity among global companies
“to get a pre-breach response plan in place, outside counsel, forensic firms, crisis
public relations firms and data breach response vendors” has picked up significantly.

“The question is
when a data breach will occur and not
if a data breach will occur,”
Burton said.

To contact the reporter on this story: George R. Lynch in Washington at
glynch@bna.com

To contact the editor responsible for this story: Donald G. Aplin at
daplin@bna.com

All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.

Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)

Notify me when updates are available (No standing order will be created).

This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to research@bna.com.

Put me on standing order

Notify me when new releases are available (no standing order will be created)